What starting position does this attack require?

The first step is Steal instance role credentials (T1552) — a credential access primitive. Assumed environment: target operates AWS-hosted web apps with broad EC2 IAM role attachments.

What is the final impact of this kill-chain?

The final step lands on Mass GetObject of customer data (APT-CAPITAL-ONE-SSRF), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)

A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.

Filed by AD Knowledge BasePublished 2026-05-27

§ Kill-chainDrag · zoom · scroll

Credential Access

Steal instance role credentials

T1552 · Unsecured Credentials

Lateral Movement

Find SSRF primitive on the web app

W-SSRF · Server-Side Request Forgery (SSRF)

Collection

ListBucket via stolen role

C-S3-EXFIL · S3 / Blob / GCS Mass Exfil

Credential Access

Reach 169.254.169.254 IMDSv1

C-IMDS-V1 · IMDSv1 Credential Theft

Initial Access

Mass GetObject of customer data

APT-CAPITAL-ONE-SSRF · Cloud SSRF → IMDS → Bucket Exfil (Capital One 2019)

§ Context

Assumed environment: target operates AWS-hosted web apps with broad EC2 IAM role attachments. IMDSv1 still enabled. WAF rules occasionally introduce SSRF-class behaviour.

§ Steps

01
Steal instance role credentialsCredential Access
T1552— Unsecured Credentials
02
Find SSRF primitive on the web appLateral Movement
W-SSRF— Server-Side Request Forgery (SSRF)
03
ListBucket via stolen roleCollection
C-S3-EXFIL— S3 / Blob / GCS Mass Exfil
04
Reach 169.254.169.254 IMDSv1Credential Access
C-IMDS-V1— IMDSv1 Credential Theft
05
Mass GetObject of customer dataInitial Access
APT-CAPITAL-ONE-SSRF— Cloud SSRF → IMDS → Bucket Exfil (Capital One 2019)

§ References

T1552Unsecured Credentials

§ Frequently asked

What is the "WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)" attack path?: A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Steal instance role credentials (T1552) — a credential access primitive. Assumed environment: target operates AWS-hosted web apps with broad EC2 IAM role attachments.
What is the final impact of this kill-chain?: The final step lands on Mass GetObject of customer data (APT-CAPITAL-ONE-SSRF), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

SSRF → IMDS → AssumeRole chain → Org admin

Public bucket → CI/CD secret leak → cloud takeover

SSRF → IMDS → cloud creds → lateral